0xray 2.0.0 → 2.0.1

package/dist/security/security-auditor.d.ts

@@ -0,0 +1,56 @@
+/**
+ * Security Audit Tool
+ *
+ * Comprehensive security auditing for the framework and its components.
+ * Identifies vulnerabilities, misconfigurations, and security weaknesses.
+ *
+ * @version 1.0.0
+ * @since 2026-01-07
+ */
+export interface SecurityIssue {
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    category: string;
+    file: string;
+    line?: number;
+    description: string;
+    recommendation: string;
+    cwe?: string;
+}
+export interface SecurityAuditResult {
+    totalFiles: number;
+    issues: SecurityIssue[];
+    summary: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        info: number;
+    };
+    score: number;
+}
+export declare class SecurityAuditor {
+    private readonly dangerousPatterns;
+    private readonly dangerousImports;
+    /**
+     * Run comprehensive security audit
+     */
+    auditProject(projectPath?: string): Promise<SecurityAuditResult>;
+    private getAllFiles;
+    private shouldSkipDirectory;
+    private shouldAuditFile;
+    private auditFile;
+    private isFalsePositive;
+    private auditImports;
+    private auditFilePermissions;
+    private auditPackageJson;
+    private auditConfiguration;
+    private auditDependencies;
+    private getRecommendationForCategory;
+    private generateSummary;
+    private calculateSecurityScore;
+    /**
+     * Generate security audit report
+     */
+    generateReport(result: SecurityAuditResult): string;
+}
+export declare const securityAuditor: SecurityAuditor;

package/dist/security/security-hardener.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Security Hardening Module
+ *
+ * Implements additional security measures and hardening for the framework.
+ * Addresses vulnerabilities identified during security audit.
+ *
+ * @version 1.0.0
+ * @since 2026-01-07
+ */
+import { SecurityIssue } from "./security-auditor.js";
+export interface SecurityHardeningConfig {
+    enableInputValidation: boolean;
+    enableRateLimiting: boolean;
+    enableAuditLogging: boolean;
+    enableSecureHeaders: boolean;
+    maxRequestSizeBytes: number;
+    rateLimitWindowMs: number;
+    rateLimitMaxRequests: number;
+}
+export declare class SecurityHardener {
+    private config;
+    constructor(config?: Partial<SecurityHardeningConfig>);
+    /**
+     * Apply security hardening based on audit results
+     */
+    hardenSecurity(auditResult: {
+        issues: SecurityIssue[];
+    }): Promise<{
+        appliedFixes: string[];
+        remainingIssues: SecurityIssue[];
+    }>;
+    private applyFixForIssue;
+    private fixHardcodedSecrets;
+    private fixFilePermissions;
+    private fixDependencyManagement;
+    private addInputValidation;
+    /**
+     * Add security headers to HTTP responses
+     */
+    addSecurityHeaders(headers: Record<string, string>): Record<string, string>;
+    /**
+     * Validate input data
+     */
+    validateInput(input: any, schema: any): {
+        valid: boolean;
+        errors: string[];
+    };
+    /**
+     * Check rate limiting
+     */
+    checkRateLimit(identifier: string, requests: Map<string, number[]>): boolean;
+    /**
+     * Log security events
+     */
+    logSecurityEvent(event: {
+        type: string;
+        severity: "low" | "medium" | "high" | "critical";
+        message: string;
+        metadata?: Record<string, any>;
+    }): void;
+}
+export declare const securityHardener: SecurityHardener;

package/dist/security/security-hardening-system.d.ts

@@ -0,0 +1,239 @@
+/**
+ * Security Hardening System
+ *
+ * Comprehensive security hardening implementation with OWASP compliance.
+ * Implements defense-in-depth security architecture for enterprise applications.
+ *
+ * @version 1.0.0
+ * @since 2026-01-08
+ */
+import { EventEmitter } from "events";
+import { IncomingMessage, ServerResponse } from "http";
+export declare const SECURITY_CONFIG: {
+    readonly headers: {
+        readonly "X-Content-Type-Options": "nosniff";
+        readonly "X-Frame-Options": "DENY";
+        readonly "X-XSS-Protection": "1; mode=block";
+        readonly "Strict-Transport-Security": "max-age=31536000; includeSubDomains";
+        readonly "Content-Security-Policy": "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
+        readonly "Referrer-Policy": "strict-origin-when-cross-origin";
+        readonly "Permissions-Policy": "geolocation=(), microphone=(), camera=()";
+        readonly "Cross-Origin-Embedder-Policy": "require-corp";
+        readonly "Cross-Origin-Opener-Policy": "same-origin";
+        readonly "Cross-Origin-Resource-Policy": "same-origin";
+    };
+    readonly rateLimiting: {
+        readonly windowMs: number;
+        readonly maxRequests: 100;
+        readonly skipSuccessfulRequests: false;
+        readonly skipFailedRequests: false;
+    };
+    readonly inputValidation: {
+        readonly maxStringLength: 10000;
+        readonly maxArrayLength: 1000;
+        readonly maxObjectDepth: 10;
+        readonly allowedCharacters: RegExp;
+        readonly sqlInjectionPatterns: readonly [RegExp, RegExp];
+        readonly xssPatterns: readonly [RegExp, RegExp, RegExp, RegExp];
+    };
+    readonly encryption: {
+        readonly algorithm: "aes-256-gcm";
+        readonly keyLength: 32;
+        readonly ivLength: 16;
+        readonly saltRounds: 12;
+    };
+    readonly audit: {
+        readonly logLevel: "detailed";
+        readonly retentionDays: 90;
+        readonly sensitiveFields: readonly ["password", "token", "secret", "key", "authorization"];
+    };
+};
+export type SecurityEventType = "input_validation_failure" | "rate_limit_exceeded" | "authentication_failure" | "authorization_failure" | "suspicious_activity" | "sql_injection_attempt" | "xss_attempt" | "csrf_attempt" | "security_header_missing" | "encryption_failure" | "audit_log_failure";
+export type SecuritySeverity = "low" | "medium" | "high" | "critical";
+export interface SecurityEvent {
+    id: string;
+    type: SecurityEventType;
+    severity: SecuritySeverity;
+    message: string;
+    source: string;
+    userId?: string;
+    ipAddress?: string;
+    userAgent?: string;
+    timestamp: number;
+    metadata: Record<string, unknown>;
+    stackTrace?: string;
+}
+export interface ValidationResult {
+    isValid: boolean;
+    errors: string[];
+    sanitizedValue?: unknown;
+    securityEvents: SecurityEvent[];
+}
+export interface RateLimitEntry {
+    count: number;
+    resetTime: number;
+    lastRequest: number;
+}
+export interface SecurityMiddlewareOptions {
+    enableRateLimiting?: boolean;
+    enableInputValidation?: boolean;
+    enableSecurityHeaders?: boolean;
+    enableAuditLogging?: boolean;
+    enableCsrfProtection?: boolean;
+    enableHsts?: boolean;
+    customHeaders?: Record<string, string>;
+    trustedOrigins?: string[];
+    rateLimitOptions?: Partial<typeof SECURITY_CONFIG.rateLimiting>;
+}
+/**
+ * Core security hardening system
+ */
+export declare class SecurityHardeningSystem extends EventEmitter {
+    private rateLimitStore;
+    private securityEvents;
+    private encryptionKey;
+    private auditLogEnabled;
+    private started;
+    private pendingEncryptionKey;
+    private boundSecurityEvent;
+    private boundRateLimitExceeded;
+    private boundValidationFailure;
+    constructor(encryptionKey?: string);
+    start(): void;
+    /**
+     * Setup event handlers for security events
+     */
+    private setupEventHandlers;
+    destroy(): void;
+    /**
+     * Create security middleware for HTTP requests
+     */
+    createSecurityMiddleware(options?: SecurityMiddlewareOptions): (req: IncomingMessage, res: ServerResponse) => Promise<boolean>;
+    /**
+     * Check rate limiting for requests
+     */
+    private checkRateLimit;
+    /**
+     * Apply security headers to response
+     */
+    private applySecurityHeaders;
+    /**
+     * Validate CSRF token
+     */
+    private validateCsrfToken;
+    /**
+     * Validate and sanitize input data
+     */
+    validateInput(input: unknown, context?: string): ValidationResult;
+    /**
+     * Validate string input
+     */
+    private validateString;
+    /**
+     * Validate object input
+     */
+    private validateObject;
+    /**
+     * Validate array input
+     */
+    private validateArray;
+    /**
+     * Check for security patterns in input
+     */
+    private checkSecurityPatterns;
+    /**
+     * Encrypt sensitive data using AES-256-GCM
+     * SECURITY: Proper encryption with random IV and authentication tag (H-001 fix)
+     *
+     * @param data - Plaintext data to encrypt
+     * @returns Base64-encoded string containing encrypted data + IV + auth tag
+     */
+    encryptData(data: string): string;
+    /**
+     * Decrypt sensitive data using AES-256-GCM
+     * SECURITY: Proper decryption with IV and auth tag verification (H-001 fix)
+     *
+     * @param encryptedData - Base64-encoded string containing encrypted data + IV + auth tag
+     * @returns Decrypted plaintext data
+     * @throws Error if decryption fails or authentication tag doesn't match
+     */
+    decryptData(encryptedData: string): string | null;
+    /**
+     * Hash password securely with unique salt
+     * SECURITY: Generates unique random salt for each password (H-003 fix)
+     */
+    hashPassword(password: string): Promise<{
+        hash: string;
+        salt: string;
+    }>;
+    /**
+     * Verify password hash
+     */
+    verifyPassword(password: string, hash: string, salt: string): Promise<boolean>;
+    /**
+     * Generate secure random token
+     */
+    generateSecureToken(length?: number): string;
+    /**
+     * Log audit event
+     */
+    private logAuditEvent;
+    /**
+     * Sanitize headers for audit logging
+     */
+    private sanitizeHeadersForAudit;
+    /**
+     * Emit security event
+     */
+    private emitSecurityEvent;
+    /**
+     * Handle security events
+     */
+    private handleSecurityEvent;
+    /**
+     * Handle rate limit exceeded
+     */
+    private handleRateLimitExceeded;
+    /**
+     * Handle validation failure
+     */
+    private handleValidationFailure;
+    /**
+     * Get client IP address
+     */
+    private getClientIP;
+    /**
+     * Get rate limit info for IP
+     */
+    private getRateLimitInfo;
+    /**
+     * Get object depth
+     */
+    private getObjectDepth;
+    /**
+     * Cleanup old rate limit entries
+     */
+    private cleanupRateLimitStore;
+    /**
+     * Get security events
+     */
+    getSecurityEvents(limit?: number): SecurityEvent[];
+    /**
+     * Clear security events
+     */
+    clearSecurityEvents(): void;
+    /**
+     * Get security statistics
+     */
+    getSecurityStats(): {
+        totalEvents: number;
+        eventsByType: Record<SecurityEventType, number>;
+        eventsBySeverity: Record<SecuritySeverity, number>;
+        recentEvents: SecurityEvent[];
+    };
+    /**
+     * Enable/disable audit logging
+     */
+    setAuditLogging(enabled: boolean): void;
+}
+export declare const securityHardeningSystem: SecurityHardeningSystem;

package/dist/security/security-headers.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Security Headers Middleware
+ *
+ * Comprehensive security headers implementation for HTTP responses.
+ * Integrates with boot orchestrator and API endpoints.
+ *
+ * @version 1.0.0
+ * @since 2026-01-07
+ */
+export interface HttpResponse {
+    setHeader(name: string, value: string): void;
+}
+export interface ExpressMiddlewareParams {
+    req: unknown;
+    res: HttpResponse;
+    next: (err?: Error) => void;
+}
+export interface FastifyMiddlewareParams {
+    request: unknown;
+    reply: HttpResponse;
+    done: (err?: Error) => void;
+}
+export interface SecurityHeadersConfig {
+    enableCSP: boolean;
+    enableHSTS: boolean;
+    enableFrameOptions: boolean;
+    enableXSSProtection: boolean;
+    enableContentTypeOptions: boolean;
+    enableReferrerPolicy: boolean;
+    enablePermissionsPolicy: boolean;
+    customCSP?: string;
+    hstsMaxAge?: number;
+    hstsIncludeSubdomains?: boolean;
+    hstsPreload?: boolean;
+}
+export declare class SecurityHeadersMiddleware {
+    private config;
+    constructor(config?: Partial<SecurityHeadersConfig>);
+    /**
+     * Apply security headers to HTTP response
+     */
+    applySecurityHeaders(response: HttpResponse): void;
+    /**
+     * Express.js middleware function
+     */
+    getExpressMiddleware(): (req: unknown, res: HttpResponse, next: (err?: Error) => void) => void;
+    /**
+     * Fastify middleware function
+     */
+    getFastifyMiddleware(): (request: unknown, reply: HttpResponse, done: (err?: Error) => void) => void;
+    /**
+     * Generic middleware for any HTTP framework
+     */
+    getMiddleware(): (response: HttpResponse) => void;
+    /**
+     * Update configuration
+     */
+    updateConfig(newConfig: Partial<SecurityHeadersConfig>): void;
+    /**
+     * Get current configuration
+     */
+    getConfig(): SecurityHeadersConfig;
+}
+export declare const securityHeadersMiddleware: SecurityHeadersMiddleware;

package/dist/security/security-orchestration-layer.d.ts

@@ -0,0 +1,119 @@
+/**
+ * Security Orchestration Layer
+ *
+ * Coordinates multiple security agents for comprehensive vulnerability scanning,
+ * automated remediation, and compliance validation using weighted voting
+ * for architectural decisions.
+ *
+ * @version 1.22.13
+ */
+import { EventEmitter } from "events";
+import { Vulnerability, RemediationPlan, ComplianceStandard } from "./comprehensive-security-audit.js";
+export interface SecurityAgent {
+    id: string;
+    name: string;
+    type: SecurityAgentType;
+    weight: number;
+    status: AgentStatus;
+    lastActive?: Date;
+    capabilities: string[];
+}
+export type SecurityAgentType = "security-auditor" | "code-analyzer" | "testing-lead" | "architect" | "vulnerability-scanner" | "compliance-validator" | "remediation-specialist";
+export type AgentStatus = "idle" | "scanning" | "analyzing" | "reporting" | "error";
+export interface OrchestrationConfig {
+    enableWeightedVoting: boolean;
+    enableAutoRemediation: boolean;
+    decisionThreshold: number;
+    agentWeights: Record<SecurityAgentType, number>;
+    scanDepth: "shallow" | "medium" | "deep";
+    complianceStandards: ComplianceStandard[];
+    maxConcurrentAgents: number;
+    timeout: number;
+}
+export interface SecurityTask {
+    id: string;
+    type: SecurityTaskType;
+    priority: "critical" | "high" | "medium" | "low";
+    assignedAgent?: SecurityAgent;
+    status: "pending" | "in-progress" | "completed" | "failed";
+    result?: unknown;
+    error?: string;
+    createdAt: Date;
+    completedAt?: Date;
+}
+export type SecurityTaskType = "vulnerability-scan" | "code-analysis" | "compliance-check" | "remediation" | "threat-detection" | "security-review";
+export interface AgentVote {
+    agentId: string;
+    agentName: string;
+    vote: "approve" | "reject" | "abstain";
+    weight: number;
+    reasoning: string;
+    concerns: string[] | undefined;
+    confidence: number;
+}
+export interface SecurityDecision {
+    id: string;
+    title: string;
+    description: string;
+    type: "approval" | "rejection" | "revision-required";
+    votes: AgentVote[];
+    weightedApproval: number;
+    threshold: number;
+    approved: boolean;
+    timestamp: Date;
+    relatedVulnerabilities: string[] | undefined;
+}
+export interface SecurityOrchestrationReport {
+    auditId: string;
+    timestamp: Date;
+    duration: number;
+    agents: SecurityAgent[];
+    tasks: SecurityTask[];
+    decisions: SecurityDecision[];
+    summary: {
+        totalVulnerabilities: number;
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        securityScore: number;
+        complianceScore: number;
+    };
+    vulnerabilities: Vulnerability[];
+    prioritizedRemediation: RemediationPlan[];
+    recommendations: string[];
+}
+export declare class SecurityOrchestrationLayer extends EventEmitter {
+    private config;
+    private agents;
+    private tasks;
+    private decisions;
+    private auditSystem;
+    private isRunning;
+    constructor(config?: Partial<OrchestrationConfig>);
+    private initializeAgents;
+    runSecurityOrchestration(projectPath: string): Promise<SecurityOrchestrationReport>;
+    private createTask;
+    private executeVulnerabilityScan;
+    private executeComplianceCheck;
+    private executeRemediationPlanning;
+    private updateAgentStatus;
+    private collectAgentVotes;
+    private generateAgentVote;
+    private makeSecurityDecisions;
+    private createDecision;
+    private generateOrchestrationReport;
+    private calculateSecurityScore;
+    private calculateComplianceScore;
+    private prioritizeRemediation;
+    private estimateFixTime;
+    private generateRecommendations;
+    getAgents(): SecurityAgent[];
+    getAgent(agentId: string): SecurityAgent | undefined;
+    getTasks(): SecurityTask[];
+    getDecisions(): SecurityDecision[];
+    getActiveAgents(): SecurityAgent[];
+    getVulnerabilities(): Vulnerability[];
+}
+export declare function createSecurityOrchestrationLayer(config?: Partial<OrchestrationConfig>): SecurityOrchestrationLayer;
+export declare function runSecurityOrchestration(projectPath: string, config?: Partial<OrchestrationConfig>): Promise<SecurityOrchestrationReport>;

package/dist/security/security-scanner.d.ts

@@ -0,0 +1,119 @@
+/**
+ * 0xRay Framework - Security Scanner
+ *
+ * Automated security vulnerability scanning and compliance validation
+ * Integrates with security tools and provides comprehensive security reports
+ */
+export interface SecurityScanConfig {
+    enabled: boolean;
+    tools: {
+        npmAudit: boolean;
+        trivy: boolean;
+        eslintSecurity: boolean;
+        dependencyCheck: boolean;
+    };
+    severityThreshold: "low" | "moderate" | "high" | "critical";
+    reportPath: string;
+    failOnVulnerabilities: boolean;
+}
+export interface SecurityVulnerability {
+    id: string;
+    title: string;
+    description: string;
+    severity: "low" | "moderate" | "high" | "critical";
+    package?: string;
+    version?: string;
+    cve?: string;
+    url?: string;
+    recommendation: string;
+}
+export interface SecurityReport {
+    timestamp: string;
+    duration: number;
+    tools: {
+        npmAudit: SecurityVulnerability[];
+        trivy: SecurityVulnerability[];
+        eslintSecurity: SecurityVulnerability[];
+        dependencyCheck: SecurityVulnerability[];
+    };
+    summary: {
+        totalVulnerabilities: number;
+        bySeverity: Record<string, number>;
+        byTool: Record<string, number>;
+    };
+    recommendations: string[];
+    compliant: boolean;
+}
+export declare class SecurityScanner {
+    private config;
+    constructor(config?: Partial<SecurityScanConfig>);
+    /**
+     * Run comprehensive security scan
+     */
+    runSecurityScan(): Promise<SecurityReport>;
+    /**
+     * Run npm audit
+     */
+    private runNpmAudit;
+    /**
+     * Run Trivy security scan
+     */
+    private runTrivyScan;
+    /**
+     * Run ESLint security rules
+     */
+    private runEslintSecurity;
+    /**
+     * Run OWASP Dependency Check
+     */
+    private runDependencyCheck;
+    /**
+     * Generate comprehensive security report
+     */
+    private generateReport;
+    /**
+     * Generate security recommendations
+     */
+    private generateRecommendations;
+    /**
+     * Save report to file
+     */
+    private saveReport;
+    /**
+     * Log security scan results
+     */
+    private logResults;
+    /**
+     * Map npm audit severity levels
+     */
+    private mapNpmSeverity;
+    /**
+     * Map Trivy severity levels
+     */
+    private mapTrivySeverity;
+    /**
+     * Map Dependency Check severity levels
+     */
+    private mapDependencyCheckSeverity;
+    /**
+     * Validate AI prompt security
+     */
+    validatePrompt(prompt: string): Promise<{
+        isSafe: boolean;
+        violations: string[];
+        riskLevel: string;
+    }>;
+    /**
+     * Validate AI response security
+     */
+    validateResponse(response: string): Promise<{
+        isSafe: boolean;
+        violations: string[];
+        riskLevel: string;
+    }>;
+    /**
+     * Create empty report when scanning is disabled
+     */
+    private createEmptyReport;
+}
+export declare const securityScanner: SecurityScanner;